ci: pin actions to full commit SHAs

[eepifanova]

Summary

Pin action refs from mutable tags to full commit SHAs to prevent supply-chain attacks.

Changes

Action	Before	After
actions/checkout	v6	de0fac2e...

Applied to: alpine.yml, ubuntu.yml

No behavioral changes — supply-chain hardening only.

[p-pautov]

That could make sense for 3rd-party actions, but not so much for GitHub-provided actions from "actions/*". By using major version tag, we automatically get all the minor updates currently.

[eepifanova]

That could make sense for 3rd-party actions, but not so much for GitHub-provided actions from "actions/*". By using major version tag, we automatically get all the minor updates currently.

It's not a question of trust. It's a way to prevent supply-chain attack so the new malicious code will not be able to affect repos using these actions.

[p-pautov]

That could make sense for 3rd-party actions, but not so much for GitHub-provided actions from "actions/*". By using major version tag, we automatically get all the minor updates currently.

It's not a question of trust. It's a way to prevent supply-chain attack so the new malicious code will not be able to affect repos using these actions.

It is a question of trust in action provider and its security processes. In case of "actions/*" it's GitHub, which we have to trust if host code here.

[thresheek]

You overestimate the quality of processes on GitHub. We do use their infra to spawn and run checks, but who owns actions/* is an entirely different matter since the teams are not connected. There is no guarantee they are under the same strict control security-wise, or else.

I'm just saying that it's better to be safe than sorry. We can always bump the ids if we see issues.